Attack on SolarWinds could have been countered by reproducible builds

Hans-Christoph Steiner hans at guardianproject.info
Wed Dec 30 15:41:08 UTC 2020


Holger Levsen:
> hi,
> 
> On Mon, Dec 21, 2020 at 01:58:01PM -0500, Santiago Torres-Arias wrote:
>> To be a little bit more upfront: I think that we as a community
>> sometimes focus on "is this thing reproducible" and not on "how can I
>> use this to secure the ecosystem".
> 
> I fully agree and believe this is due to us still encountering way too
> many practical technial problems. It's really hard to think practically
> about something which mostly only exists in theory.
> 
> I mean, the tails ISO is the only 'product' I'm aware of which can be
> meaningfully verified currently. And probably some android apps too,
> though alone fetching an .apk with adb from a phone and verifying it is nothing
> I could recommend as 'easy' to anyone (except android hackers).
> 
> But for the big linux distros we aren't there yet. And thus it's very
> hard to focus on user stories and to keep the focus there. At least that's
> my explaination why we drift into details constantly.

If you'd like to see a concrete use, for the apps that require 
reproducible builds in F-Droid, an APK build is not signed and released 
unless f-droid.org's build matches the upstream developer's APK.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556


More information about the rb-general mailing list